4826 Boot Configuration Data loaded
Written at system startup when the current Boot Configuration Data (BCD) is loaded. It reflects boot-time security settings (signature checks, debugging, and so on) and is usable to detect bootkits and driver abuse.
Overview
The subcategory is Audit Other Policy Change Events. It is generated each time the system starts and loads the current BCD (Boot Configuration Data: the settings that define how the OS boots). This event is always logged regardless of the subcategory setting. It includes the state of boot-time security-related options.
How it is triggered
- The BCD load at system startup (once per boot).
Security review points
- Watch for weakening of boot-time security settings. States like the following are red flags that allow loading unsigned drivers, bootkits, or tampering via debugging:
- Test Signing enabled: allows loading unsigned/self-signed drivers.
- Kernel Debugging enabled: can be abused to tamper with or control the boot.
- Driver signature enforcement disabled / integrity checks disabled: allows loading malicious drivers.
- Deviations from the legitimate values should be suspected as preparation for boot-level persistence or defense evasion and investigated.
Notes for log review
- It is a reference event that always appears per boot. Look at “whether the settings changed from the safe defaults” rather than the count.
- Know each host’s normal BCD baseline and detect enabling of test signing or debugging, or disabling of signature enforcement.
Key fields
| Field | Meaning |
|---|---|
Test Signing | Whether test signing is enabled |
Kernel Debugging / DEP etc. | The state of boot-time security options |
Integrity Checks | Whether code-integrity checks are enabled |
Glossary
- BCD (Boot Configuration Data) — the settings area defining how Windows boots and its boot-time options. Whether signature checks and debugging are allowed is decided here.
- Bootkit — malware that embeds at the earliest stage of OS boot and runs before the OS to evade detection.